USB malware swaps crypto wallet addresses and hides from security tools

A sneaky piece of USB malware has been quietly spreading since early 2026, tricking people into sending cryptocurrency to thieves without them noticing. The attack starts when someone plugs in an infected USB drive, thinking they're just opening a normal file. Behind the scenes, the malware hides real documents and replaces them with fake shortcuts that quietly load the virus instead. Once active, it scans the computer for anything related to Bitcoin, Tron, or Monero—especially wallet addresses and recovery phrases—and instantly swaps them with the hacker's own details when copied. The theft doesn’t stop at wallet addresses. Every 500 milliseconds, the malware checks the clipboard for cryptocurrency seeds or private keys. If found, it hands full control of the wallet to the attacker, not just a single transaction. It even takes five quick screenshots over ten seconds, capturing whatever the victim was looking at—maybe a banking app or an exchange dashboard. To avoid detection, all stolen data travels through a hidden internet tunnel using Tor, making it nearly impossible for security tools to trace where the data goes.What makes this malware tricky isn’t just its theft methods. It uses hard-to-read code, including encrypted Python scripts disguised as normal files, and shuts itself down if it spots someone trying to analyze it via Task Manager. Security experts warn this isn’t the first time clipboard hijacking has been used—but the combination of USB spread and Tor communication shows how attackers are getting smarter at avoiding detection. Most people don’t think twice about plugging in a random USB drive, especially at work or in shared spaces. But these old-school tricks still work because they exploit trust in everyday tools. Even as cloud storage grows, USB drives remain a weak spot that hackers love to target. The best defense? Turning off automatic USB running, blocking risky shortcut files, and watching for odd network activity like connections to port 9050.